If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Unknown Trojan (reaching out to kicker555.no-ip.info)

Hey all, long time no see.

I've discovered a trojan that may include a keylogger on one of my computers today. Quite by accident while repairing some damage done to my DSL modem (my fault!), I noticed it logs the addresses of all websites that computers on my internal network are trying to reach.

Watching my traffic with Wireshark, I notice a number of DNS resolution queries for kicker555.no-ip.info. That's a dynamic domain provider, resolving the particular domain to 8.4.112.108 (as of today). After the resolution completes the infected PC contacts that IP address on port 81. A scan of that address/port show it to be filtered, with a service running (nmap reports it as hosts2-ns - a nameserver?)

I suspect there may be a keylogger because a Google search on some terms (like the IP address and DNS name) have returned a few results - some saw files with their keystrokes.

There's very, very little information out there, no one has really removed or researched it. Of course, SpyBot S&D and Symantac AV find nothing.

Any suggestions? I'd like to figure out what running services are triggering those DNS queries, where the binaries exist, and eventually how I got them here.

At this point I've used my network hardware to block any activity to those domains, but I know the trojan is still active on this system.

Run an online scan: Panda and Trendmicro are good. Might also try AVG's
anti-spyware. I believe an app like Activescan or TCPview will give you the
.exe accessing that ip address if you are watching it. MS's port reporter
would log the app probably. Sounds like you got your work cut out for you.

TCPview isn't really telling me anything - if there's a rootkit involved it wouldn't surprise me if it's hiding itself from WinXP. That IP address may be registered to Level3, but I'm guessing they've partitioned it out and leased part of it off...

Yeah, I didn't think about it until after I posted, but TCPview, Port Reporter
and Active Ports aren't going to give you anything until they connect with
an ip address. And apparently you got this stuff blocked.

I'd tread lightly around any Level3 ip's. I know for a fact they do some DoD
work. You never know what's going into those logfiles.

When the Trojan is first installed, it creates the following files:
%ProgramFiles%\Bifrost\server.exe
%ProgramFiles%\Bifrost\klog.dat

The Trojan then creates the following registry entry so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9B71D88C-C598-4935-C5D1-43AA4DB90836}\"stubpath" = "%ProgramFiles%\Bifrost\server.exe s"

It then creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Bifrost
HKEY_CURRENT_USER\Software\Bifrost

The Trojan launches Internet Explorer in hidden mode and injects itself into the iexplorer.exe process in an attempt to bypass any firewall that may be running.

It then opens a back door by contacting the [REMOVED]-life.no-ip.info domain through TCP port 81 allowing it to perform various actions on the compromised computer, such as downloading files from and to the Internet, and stealing confidential information.
</snip>

Fairly recent, too, and it fits the M.O. of what I saw in the raw packets.

so the trojan has access permission to IP address, and all other clients are blocked. cant you still track their location (or hosting company) if you have the IP? and if you contact the host, will they ban and take legal actions against this guy, or void ur inquiry? just seems very ignorant leaving a direct path to himself... unless he's well protected. explainations???

Run an online scan: Panda and Trendmicro are good. Might also try AVG's
anti-spyware. I believe an app like Activescan or TCPview will give you the
.exe accessing that ip address if you are watching it. MS's port reporter
would log the app probably. Sounds like you got your work cut out for you.

There are hundreds, if not thousands of local ISPs who's users will reoslve to a Level3 host.